Configuring Symfony from localhost to High Availability #SymfonyCon @nicolasgrekas

@nicolasgrekas @nicolasgrekas https://symfony.com/the-fast-track

No content

@nicolasgrekas Configuring a Symfony app •DI parameters and PHP constants •Environment variables •Secrets •(High Availability)

What is a Symfony Application? @nicolasgrekas

A Symfony app Uses a compiled container @nicolasgrekas

No content

@nicolasgrekas config/services.yaml # Put parameters here that don't need to change on each machine where the app is deployed # https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration parameters: locale: 'en' # This parameter defines the codes of the locales (languages) enabled in the application app_locales: en|fr|de|es|cs|nl|ru|uk|ro|pt_BR|pl|it|ja|id|ca|sl|hr|zh_CN|bg|tr|lt app.notifications.email_sender: anonymous@example.com

@nicolasgrekas /** * Gets the private 'App\Command\ListUsersCommand' shared autowired service. * * @return \App\Command\ListUsersCommand */ protected function getListUsersCommandService() { $this->privates['App\\Command\\ListUsersCommand'] = $instance = new \App\Command\ListU ($this->services['swiftmailer.mailer.default'] ?? $this->getSwiftmailer_Mailer_Def 'anonymous@example.com', ($this->privates['App\\Repository\\UserRepository'] ?? $this->getUserRepositorySer ); $instance->setName('app:list-users'); return $instance; } var/cache/…/srcApp...Container.php

@nicolasgrekas var/cache/…/srcApp...Container.php /** * Gets the private 'App\EventSubscriber\CommentNotificationSubscriber' shared autowired s * * @return \App\EventSubscriber\CommentNotificationSubscriber */ protected function getCommentNotificationSubscriberService() { return $this->privates['App\\EventSubscriber\\CommentNotificationSubscriber'] = new \A ($this->services['swiftmailer.mailer.default'] ?? $this->getSwiftmailer_Mailer_Def ($this->services['router'] ?? $this->getRouterService()), ($this->services['translator'] ?? $this->getTranslatorService()), 'anonymous@example.com' ); }

@nicolasgrekas Parameters are static! •Updates require recompilation! •Available at built time •Cluster-wide settings Fit configuring client requirements!

@nicolasgrekas Parameter examples •Locale(s) •Facebook app id •Google Analytics tracker id •framework.cache.prefix_seed Anything commitable (this excludes secrets!)

Best Practice Define business- related settings in config/services.yaml

Best Practice Define rarely changing settings in PHP constants

No content

A Symfony app Can be configured dynamically via env vars @nicolasgrekas

@nicolasgrekas config/packages/mailer.yaml framework: mailer: dsn: '%env(MAILER_DSN)%'

@nicolasgrekas config/packages/doctrine.yaml doctrine: dbal: url: '%env(resolve:DATABASE_URL)%'

@nicolasgrekas var/cache/…/srcApp...Container.php /** * Gets the public 'doctrine.dbal.default_connection' shared service. * * @return \Doctrine\DBAL\Connection */ protected function getDoctrine_Dbal_DefaultConnectionService() { // ... return $this->services['doctrine.dbal.default_connection'] = (new \Doctrine\Bundle\DoctrineBundle\ConnectionFactory([])) ->createConnection([ 'driver' => 'pdo_sqlite', 'charset' => 'utf8mb4', 'url' => $this->getEnv('resolve:DATABASE_URL'), 'host' => 'localhost', 'port' => NULL, 'user' => 'root', 'password' => NULL, 'driverOptions' => [], 'serverVersion' => '3.15',

@nicolasgrekas vendor/dependency-injection/… if (isset($_ENV[$name])) { $env = $_ENV[$name]; } elseif (isset($_SERVER[$name]) && 0 !== strpos($name, 'HTTP_')) { $env = $_SERVER[$name]; } elseif (false === ($env = getenv($name)) || null === $env) { // ... Check httpoxy.org getenv() is not thread safe variable_order=EGPCS Access to fastcgi_params, env vars, etc.

@nicolasgrekas Environment Variables

@nicolasgrekas

@nicolasgrekas $ SYMFONY='<3' php -S localhost:8000

@nicolasgrekas Anything coming from the runtime environment •OS-level env vars •SAPI-level env vars – e.g. FastCGI parameters •.env files •File contents •FUSE mount points •Key/value services – Consul / DNS

@nicolasgrekas Reconfiguring the runtime environment? •Per-process, immutable: restart •Per-vhost/URL: reload the server •Committed: redeploy •Files : reupload •Virtual filesystem: live updates •Network service: live updates

@nicolasgrekas Environment variables •Don’t require recompiling the app •Can be updated live •Shouldn’t be used at built time •Can vary by deployment target Fit configuring hosting requirements!

Best Practice Define infrastructure- related settings in env vars

But how should we configure env vars?! @nicolasgrekas

@nicolasgrekas Delegated to devs: for mostly static parts •Commit defaults in .env •rsync .env.local composer dump-env prod (creates .env.local.php)

@nicolasgrekas Delegated to ops: enables auto-scaling •Ansile, chef, Dockerfile, etc. •Server vhosts •The web-UI of your hoster •Don’t forget about the CLI! symfony var:set FOO=bar

@nicolasgrekas Delegated to bots: unlocks high availability! •File rsync •Virtual filesystems •Key/value stores •Consul <3 (Consul Template too) Next: health checks, routing layer hot- reconfiguration with istio/envoy/traeffic/etc.

Best Practice Document all env vars in .env

@nicolasgrekas class ConsulEnvVarLoader implements EnvVarLoaderInterface { // ... public function loadEnvVars(): array { // $this->consulUrl = 'http://127.0.0.1:8500/v1/kv/website-config'; $consulVars = $this->httpClient ->request('GET', $this->consulUrl) ->toArray()[0]['value']; return json_decode(base64_decode($consulVars), true); } }

No content

Best Practice Increase complexity only when needed!

What about secrets? @nicolasgrekas

@nicolasgrekas

@nicolasgrekas $ SYMFONY='<3' php -S localhost:8000

Fact: .env.local.php is more secure than real env vars @nicolasgrekas

@nicolasgrekas Security threats – entropy •Remote access •Insecure deployment network •Shared hosting •Bad document root / php.ini •Employees leaving •Technical responsibilities in the wrong hands

@nicolasgrekas Security threats mitigation •Rotate secrets •Store and deploy secrets encrypted •Use .env.local.php •Use asymmetric cryptography •Make things convenient

@nicolasgrekas Secrets management tools •Pet .env.local file deployed via SSH •bin/console secrets:* •(Consul|Docker|Kubernetes) Vault

@nicolasgrekas

@nicolasgrekas

@nicolasgrekas $ cat config/secrets/dev/dev.GITHUB_API_TOKEN.aebb6a.php

@nicolasgrekas

@nicolasgrekas class SodiumVault implements EnvVarLoaderInterface public function loadEnvVars(): array { return $this->list(true); }

@nicolasgrekas Configure secrets framework: secrets: vault_directory: '%kernel.project_dir%/config/secrets/%kernel.environment%' local_dotenv_file: '%kernel.project_dir%/.env.local' decryption_env_var: 'base64:default::SYMFONY_DECRYPTION_SECRET' export SYMFONY_DECRYPTION_SECRET=$(php -r 'echo base64_encode( \ require "config/secrets/prod/prod.decrypt.private.php" \ );')

@nicolasgrekas Deploy secrets •Same workflow as code – git blame <3 •But the decryption key •Share the keys with the appropriate persons •Rotation is yours to build •Decrypt live – or at build time bin/console secrets:decrypt-to-local (populates .env.local)

Takeaways? @nicolasgrekas

@nicolasgrekas Key takeaways •Use parameters for business requirements •Use env vars for infra-related configuration •Use .env files first, increase complexity later •Use bin/console secrets:* •Use Consul/etc. when the need is here You’re on the path to high-availability!

Merci Thank you Gracias ﺍﺮﻜﺷ 多謝 Ευχαριστώ ありがとう 감사합 니다 Спасибо!

No content